nixos/postgresql: run ExecStartPost as an unprivileged user

nixos/doc/manual/release-notes/rl-2009.xml

@@ -666,11 +666,19 @@ services.dokuwiki."mywiki" = {
    <listitem>
     <para>
       The <xref linkend="opt-services.postgresql.dataDir"/> option is now set to <literal>"/var/lib/postgresql/${cfg.package.psqlSchema}"</literal> regardless of your
-      <xref linkend="opt-system.stateVersion"/>. Users with an existing postgresql install that have a <xref linkend="opt-system.stateVersion"/> of <literal>17.09</literal> or below
+      <xref linkend="opt-system.stateVersion"/>. Users with an existing postgresql install that have a <xref linkend="opt-system.stateVersion"/> of <literal>17.03</literal> or below
       should double check what the value of their <xref linkend="opt-services.postgresql.dataDir"/> option is (<literal>/var/db/postgresql</literal>) and then explicitly
       set this value to maintain compatibility:
 <programlisting>
 services.postgresql.dataDir = "/var/db/postgresql";
+</programlisting>
+    </para>
+    <para>
+     The postgresql module now expects there to be a database super user account called <literal>postgres</literal> regardless of your <xref linkend="opt-system.stateVersion"/>. Users
+     with an existing postgresql install that have a <xref linkend="opt-system.stateVersion"/> of <literal>17.03</literal> or below should run the following SQL statements as a
+     database super admin user before upgrading:
+<programlisting>
+CREATE ROLE postgres LOGIN SUPERUSER;
 </programlisting>
     </para>
    </listitem>

nixos/modules/services/databases/postgresql.nix

@@ -225,14 +225,15 @@ in
           Contents of the <filename>recovery.conf</filename> file.
         '';
       };
+
       superUser = mkOption {
         type = types.str;
-        default= if versionAtLeast config.system.stateVersion "17.09" then "postgres" else "root";
+        default = "postgres";
         internal = true;
+        readOnly = true;
         description = ''
-          NixOS traditionally used 'root' as superuser, most other distros use 'postgres'.
+          PostgreSQL superuser account to use for various operations. Internal since changing
-          From 17.09 we also try to follow this standard. Internal since changing this value
+          this value would lead to breakage while setting up databases.
-          would lead to breakage while setting up databases.
         '';
         };
     };
@@ -336,7 +337,7 @@ in
                 setupScript = pkgs.writeScript "postgresql-setup" (''
                   #!${pkgs.runtimeShell} -e
 
-                  PSQL="${pkgs.utillinux}/bin/runuser -u ${cfg.superUser} -- psql --port=${toString cfg.port}"
+                  PSQL="psql --port=${toString cfg.port}"
 
                   while ! $PSQL -d postgres -c "" 2> /dev/null; do
                       if ! kill -0 "$MAINPID"; then exit 1; fi
@@ -362,7 +363,7 @@ in
                   '') cfg.ensureUsers}
                 '');
               in
-                "+${setupScript}";
+                "${setupScript}";
           }
           (mkIf (cfg.dataDir == "/var/lib/postgresql/${cfg.package.psqlSchema}") {
             StateDirectory = "postgresql postgresql/${cfg.package.psqlSchema}";